Skip to main content

Apache MINA CVE-2026-47065

| EUVD-2026-34069 CRITICAL
Deserialization of Untrusted Data (CWE-502)
2026-06-03 apache GHSA-v3pr-hxpr-mfm8
Deserialization Apache Mina
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Patch available
Jun 03, 2026 - 12:01 EUVD
Analysis Generated
Jun 03, 2026 - 11:01 vuln.today
CVE Published
Jun 03, 2026 - 09:39 nvd
CRITICAL 9.8

DescriptionCVE.org

ZDRES-232: resolveProxyClass Not Overridden - acceptMatchers Filter Bypass via java.lang.reflect.Proxy

Assessment: Fully addressed.

When the serialised stream contains a TC_PROXYCLASSDESC (the marker for a java.lang.reflect.Proxy ), JDK’s ObjectInputStream.readProxyDesc() is dispatched. JDK then calls the default ObjectInputStream.resolveProxyClass(interfaces) implementation, which performs Class.forName(intf, false, latestUserDefinedLoader()) for EACH interface name and constructs the proxy class — bypassing the accepted classes list .

ZDRES-233: Class.forName(name, initialize=true, classLoader) in readClassDescriptor Triggers Static Initialiser of Allow-Listed Classes

Assessment: Fully addressed.

For ANY class on the allow-list, deserialising a stream that names it triggers the class’s (static initialiser) BEFORE any instance is constructed. This means an attacker who supplies a class name on the allow-list (e.g., the developer wrote accept(“com.myapp.*") , attacker supplies com.myapp.SomeClass ) causes <clinit> of SomeClass — and many real-world classes have side-effecting static initialisers

Both issues have been fixed.

AnalysisAI

Unsafe Java deserialization in Apache MINA's ObjectSerializationDecoder allows remote unauthenticated attackers to bypass the acceptMatchers class allow-list and achieve arbitrary code execution. Two distinct flaws are addressed: a TC_PROXYCLASSDESC handling gap where resolveProxyClass is not overridden (permitting java.lang.reflect.Proxy instantiation outside the allow-list), and a Class.forName invocation in readClassDescriptor that triggers static initializers of allow-listed classes before any instance check. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify network-exposed MINA service with object codec
Delivery
Craft serialized stream with TC_PROXYCLASSDESC and gadget interfaces
Exploit
Send payload to MINA endpoint
Execution
readProxyDesc invokes default resolveProxyClass bypassing allow-list
Persist
JVM constructs malicious Proxy and invokes handler
Impact
Achieve RCE as MINA process user
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target application instantiate MINA's ObjectSerializationDecoder (or otherwise feed attacker-controlled bytes into MINA's ObjectInputStream-backed codec) on a network-reachable endpoint; default MINA installations do not auto-expose this decoder, so vulnerability depends on the embedding application's pipeline configuration. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS:3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H is consistent with classic Java deserialization RCE: a remote, unauthenticated attacker can submit a crafted serialized stream over any MINA endpoint that decodes Java objects and trigger code paths outside the operator's allow-list. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker locates an internet- or intranet-exposed service built on Apache MINA that uses ObjectSerializationDecoder (for example, a legacy RPC endpoint or a service inheriting MINA's default codec) and sends a TLV-framed message whose payload is a Java serialized stream containing a TC_PROXYCLASSDESC referencing interfaces backed by a classic gadget chain (such as InvocationHandler chains from common libraries on the classpath), causing arbitrary code execution as the MINA process user. Alternatively, the attacker enumerates allow-listed class name prefixes from configuration leaks or guessing and names a class whose static initializer triggers an exploitable side effect (JNDI lookup, file write, command execution). …
Remediation Patch available per vendor advisory - upgrade Apache MINA to the fixed release described in the Apache advisory at https://lists.apache.org/thread/y7xj1bl8qo47p9bktb11hg5v6k1d4dyj; exact fix version is not enumerated in the provided data, so confirm the release tag against that thread before deploying. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

24 hours: Conduct comprehensive inventory of all Java applications using Apache MINA library; prioritize audit of systems exposing serialization codecs to external or untrusted networks. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-47065 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy